Solved

Need help cleaning a system of Malware/Virus/Bad things

Posted on 2011-09-03
18
1,509 Views
1 Endorsement
Last Modified: 2013-11-22
Hello All,

Been working on a friends computer for awhile now. Its running Windows XP Home. It had/has multiple infections of various types. Ran Malwarebytes and installed Norton Security, both of which found multiple items and cleaned them. Also ran Microsoft Malicious Software Removal tool. I am at the point that the scanners are coming back as clean, but there is still somthing left or there is damage to XP that needs to be fixed. I just found a way back into safe mode, which I was blocked out until I found a post that had a registry file to use to get into it. Running Malwarebytes full scan again at the moment. I believe the Administrator account was also disabled, and I still need a way to fix that.

I realize I need to probably post a Hijackthis log or somthing for you all to look at. Will do in a few hours after I sleep a bit and the MB scan finishes. Until then, any general suggestions to start with at this point.

Of course all help will be greatly appriciated.
1
Comment
Question by:Chicago_Guy
  • 5
  • 3
  • 2
  • +8
18 Comments
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
0
 
LVL 27

Expert Comment

by:davorin
Comment Utility
Try to do a system restore to couple of days before the system was infected and then scan computer again.
0
 
LVL 16

Expert Comment

by:Nenad Rajsic
Comment Utility
I know it's not always feasible but would it not be easier just to back up his files and reformat the machine? it sounds like you spent quite a few hours working on it and the end result will be "clean" but is there any other damage?. I would format/install/update and protect. When i say update that means update everything not just Windows. Flash and Adobe reader are the most vulnerable apps at the moment
0
 
LVL 25

Expert Comment

by:Tony Giangreco
Comment Utility
I've seem many infected systems. download and run tdskiller and superantispyware.

If combofix, tdskiller, nortons, malwarebytes and superantispyware don;t work, then you are probably better off in the long run backing up all data files, performing a clean install and copyinh on your user files.
0
 
LVL 4

Expert Comment

by:compuiter
Comment Utility
Also use spybot
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
I tend to agree with the above comments regarding reformatting and starting from scratch.

Figuring an hour to reinstall XP, two hours to install all the updates, another hour to configure it to the user's liking, and half an hour for each application installed.  When you hit the eight hour mark trying to repair, it's probably more sensible to start over.

There will be guaranteed good results with a clean install.  There won't be guaranteed good results cleaning up a heavily infested system, and at any time something unpleasant may pop up that renders the system unusable.

A side benefit of doing a clean install is that the unhappy loss of settings, customizations and whatnot may prompt the owner to be more careful in the future.

fwiw:  I've never seen a system operate correctly with Norton installed.  Suggest a different antivirus such as AVG.
0
 
LVL 6

Accepted Solution

by:
K_Wilke earned 250 total points
Comment Utility
Norton stinks, period.
I would run full scan with Malwarebytes in regular mode and also license this AND click on the enable protection.
Run combofix in regular mode
Run TDSSKiller in regular mode
Then run superantispwyare in regular mode
That should get 95% of all bad items out there.
If there is something specific that it is doing, then post it here so we can help, such as icons not showing up, IE being redirected, etc.
Thanks,
Kelly W.
0
 

Author Comment

by:Chicago_Guy
Comment Utility
Yeah, I agree with you all that a wipe and reinstall would be best, but this is my friend's business computer if it can be fixed without it, I have to try to.

Ok, in safe mode Malwarebytes  on full scan found nothing.

Ran TDSKiller, found nothing.

Running SuperAntiSpyware, it says it has found 300 tracking cookies, and Trojan.Agent/Gen-Cryptor[Egun]. Scan still running.

With combofix, can I post the log here or should I use bleepingcomputer? Lots of warnings about "using it without supervision". I am not a novice, but I have never used combofix before.

Thank you all for the help so far!
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
Pointed question to ask your friend:

"Since this system is your business computer, and it is used to keep your business running, which is presumably important, and the system didn't infect itself, whose carelessness let all these things get into your system?"
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Expert Comment

by:K_Wilke
Comment Utility
Do not run malwarebytes or tdsskiller in safe mode, do them (and combofix) in regular mode.
As far as the pointed question, I agree, but that is why you license Malwarebytes and run it in protected mode.  It will not let you go to websites with possible malware on it.
Thanks,
Kelly W.
0
 

Author Comment

by:Chicago_Guy
Comment Utility
DrKlahn - I fully agree, and it has been discussed at length. Now I am picking up the pieces.

And yes he will hopefully owe me (and of course all of you) big time.

Ok, SuperAntiSpyware supposedly has taken care of  Trojan.Agent/Gen-Cryptor[Egun].

Going to reboot and do scans in normal mode
0
 

Author Comment

by:Chicago_Guy
Comment Utility
Ok, ran TDSKiller in normal mode, it found nothing.

Running Malwarebytes full scan now, so far nothing.

Other issues:
I was able to log on as the administrator, but I am getting  "an access denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes" when trying to change settings in MSconfig

Also, automatic updates is disabled, configuration window is greyed out even on administrator account.

Is there anything that will take care of those issues?
0
 
LVL 6

Expert Comment

by:K_Wilke
Comment Utility
Run combofix found here:
http://www.bleepingcomputer.com/download/anti-virus/combofix
Let it do it's thing.  It might take a while to run fully.
Thanks,
Kelly W.
0
 

Author Comment

by:Chicago_Guy
Comment Utility
Ok, ran combofix,

still can not enable automatic updates,

here is the log, and after that a hijackthis log as well:

ComboFix 11-09-02.04 - JJAdmin 09/02/2011  18:07:08.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2037.1340 [GMT -5:00]
Running from: c:\documents and settings\JJAdmin\Desktop\ComboFix.exe
AV: Live Security Suite *Disabled/Updated* {F5BECBCD-2BE5-47BA-A5C6-F4E8AEC7EDF0}
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mrfec\20050617143850734_SF-555P_print_eng.exe
c:\documents and settings\mrfec\g2mdlhlpx.exe
c:\documents and settings\mrfec\gosetup.exe
c:\documents and settings\mrfec\System
c:\documents and settings\mrfec\System\win_qs8.jqx
c:\documents and settings\mrfec\WINDOWS
c:\progra~1\HEADLI~2\bar\1.bin\29BAr.dll
c:\program files\HeadlineAlley_29\bar\1.bin\29BAr.dll
c:\program files\HeadlineAlley_29\bar\1.bin\29SRcas.dll
c:\program files\Object\bho_project.dll
c:\windows\MailSwitch.ocx
c:\windows\system32\comct332.ocx
c:\windows\system32\restart.exe
c:\windows\system32\win.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_WEBSERVER
.
.
(((((((((((((((((((((((((   Files Created from 2011-08-02 to 2011-09-02  )))))))))))))))))))))))))))))))
.
.
2011-09-02 22:17 . 2011-09-02 22:20      --------      dc----w-      c:\documents and settings\JJAdmin
2011-08-29 14:28 . 2011-08-29 14:28      --------      d-----w-      c:\program files\Defraggler
2011-08-28 22:48 . 2011-08-28 22:48      --------      d-----w-      c:\program files\Trend Micro
2011-08-27 19:27 . 2010-07-26 18:42      52080      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll
2011-08-27 19:27 . 2011-08-27 19:27      --------      dc----w-      c:\documents and settings\All Users\Application Data\CitrixLogs
2011-08-27 19:27 . 2010-07-26 18:42      111472      ----a-w-      c:\windows\system32\gotomon.dll
2011-08-25 20:46 . 2011-08-25 20:46      --------      d-----w-      c:\program files\Microsoft Analysis Services
2011-08-25 20:46 . 2011-08-25 20:52      --------      d-----w-      c:\windows\SHELLNEW
2011-08-25 20:44 . 2011-08-25 20:44      --------      dc----r-      C:\MSOCache
2011-08-24 23:46 . 2011-08-24 23:46      302592      --sha-w-      C:\EUMONBMP.SYS
2011-08-24 23:43 . 2011-08-06 05:52      184072      ----a-w-      c:\windows\system32\drivers\EuFdDisk.sys
2011-08-24 23:43 . 2011-08-06 05:52      16008      ----a-w-      c:\windows\system32\drivers\eudskacs.sys
2011-08-24 23:43 . 2011-08-06 05:52      38920      ----a-w-      c:\windows\system32\drivers\eubakup.sys
2011-08-24 23:43 . 2011-08-06 05:52      42376      ----a-w-      c:\windows\system32\drivers\EUBKMON.sys
2011-08-24 23:41 . 2011-08-06 05:52      20616      ----a-w-      c:\windows\system32\fbnative.exe
2011-08-24 23:41 . 2011-08-24 23:41      --------      d-----w-      c:\program files\EaseUS
2011-08-23 14:25 . 2011-08-23 14:25      --------      dc----w-      c:\documents and settings\All Users\Application Data\MemeoCommon
2011-08-23 14:24 . 2011-08-23 14:24      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2011-08-23 14:23 . 2011-08-23 14:29      --------      d-----w-      c:\program files\Memeo
2011-08-23 02:41 . 2011-07-07 00:52      41272      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-23 02:41 . 2011-08-23 02:41      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2011-08-23 02:41 . 2011-07-07 00:52      22712      ----a-w-      c:\windows\system32\drivers\mbam.sys
2011-08-23 02:01 . 2011-06-24 14:10      139656      ------w-      c:\windows\system32\dllcache\rdpwd.sys
2011-08-23 02:01 . 2011-07-08 14:02      10496      ------w-      c:\windows\system32\dllcache\ndistapi.sys
2011-08-23 01:09 . 2011-08-23 01:09      --------      d-----w-      c:\program files\Glary Utilities
2011-08-23 01:03 . 2011-08-23 01:03      --------      d-----w-      c:\program files\CCleaner
2011-08-10 19:08 . 2011-08-10 19:08      --------      d-----w-      c:\program files\W3i
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-02 22:12 . 2010-06-12 15:50      256      ----a-w-      c:\documents and settings\mrfec\pool.bin
2011-07-15 13:29 . 2004-08-10 17:51      456320      ----a-w-      c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-10 17:51      10496      ----a-w-      c:\windows\system32\drivers\ndistapi.sys
2011-07-07 18:08 . 2011-07-18 13:13      17280      ----a-w-      c:\windows\system32\roboot.exe
2011-06-24 14:10 . 2004-08-10 18:01      139656      ----a-w-      c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-10 17:51      916480      ----a-w-      c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-10 17:51      43520      ------w-      c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-10 17:51      1469440      ----a-w-      c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-10 17:51      385024      ------w-      c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-10 17:51      293376      ----a-w-      c:\windows\system32\winsrv.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2011-07-21 12023568]
"HeadlineAlley_29 Browser Plugin Loader"="c:\progra~1\HEADLI~2\bar\1.bin\29brmon.exe" [2011-04-05 27648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Nuance PDF Reader-reminder"="c:\program files\Nuance\PDF Reader\Ereg\Ereg.exe" [2010-07-05 333088]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"Logoff"="c:\program files\Windows SteadyState\SCTUINotify.exe" [2008-05-30 163856]
"Bubble"="c:\program files\Windows SteadyState\Bubble.exe" [2008-05-30 182288]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-27 273544]
"Adobe ARM"="c:\program files\common files\adobe\arm\1.0\adobearm.exe" [2011-06-06 937920]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Reader Speed Launcher"="c:\program files\adobe\reader 10.0\reader\reader_sl.exe" [2011-06-06 35736]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2011-08-06 70792]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2011-08-06 744072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-08-05 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 18:42      15216      ----a-w-      c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windows SteadyState]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mrfec^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55      937920      ----a-w-      c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 03:32      648536      -c--a-w-      c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2011-05-16 12:50      50592      ----a-w-      c:\documents and settings\mrfec\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12      15360      ----a-w-      c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09      460784      ----a-w-      c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-01-07 17:10      30192      ----a-w-      c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-05-09 16:23      161336      ----a-w-      c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22      3739648      ----a-w-      c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 15:50      205480      ----a-w-      c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2007-08-30 15:50      205480      ----a-w-      c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12      3872080      ----a-w-      c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54      417792      ----a-w-      c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-09-19 15:37      236016      ----a-w-      c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59      254696      ----a-w-      c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-13 19:17      68856      ----a-w-      c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12      143360      ----a-w-      c:\windows\system32\mobsync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2008-06-05 22:06      125208      ----a-w-      c:\program files\Yahoo!\Common\YMailAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48      479232      ----a-w-      c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AVPath"="\\\\.\\root\\SecurityCenter:AntiVirusProduct.instanceGuid=\"{F5BECBCD-2BE5-47BA-A5C6-F4E8AEC7EDF0}\""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\mrfec\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Lync\\UcMapi.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\mrfec\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Microsoft Lync\\communicator.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"8085:TCP"= 8085:TCP:HASP Port
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [8/24/2011 6:43 PM 38920]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [8/24/2011 6:43 PM 42376]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [5/22/2011 10:17 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [5/22/2011 10:17 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 6:55 PM 815736]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [8/24/2011 6:43 PM 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [8/24/2011 6:43 PM 184072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [5/22/2011 10:17 AM 136312]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 2:33 AM 821664]
R2 DBService;SyncThru Web Admin Service Database Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe [1/16/2006 3:47 PM 114688]
R2 DispatcherServiceNT;SyncThru Web Admin Service Dispatcher Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.exe [1/16/2006 3:50 PM 106496]
R2 DMService;SyncThru Web Admin Service Device Manager Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManager.exe [1/16/2006 3:47 PM 327680]
R2 EaseUS Agent;EaseUS Agent;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [8/24/2011 6:41 PM 60040]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [5/22/2011 10:17 AM 130008]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [4/24/2010 1:10 AM 483688]
R2 SLPService;SyncThru Web Admin Service SLP Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe [1/16/2006 3:48 PM 110592]
R2 SNMPService;SyncThru Web Admin Service SNMP Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe [1/16/2006 3:48 PM 229376]
R2 WebServiceNT;SyncThru Web Admin Service Web Server;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe [1/16/2006 3:48 PM 126976]
R2 Windows SteadyState;Windows SteadyState Service;c:\program files\Windows SteadyState\SCTSvc.exe [5/30/2008 2:41 PM 115728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2011 1:17 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110902.030\IDSXpx86.sys [9/2/2011 4:59 PM 356280]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [4/24/2010 1:10 AM 209768]
S2 gupdate1c9ca11c9487ab8;Google Update Service (gupdate1c9ca11c9487ab8);c:\program files\Google\Update\GoogleUpdate.exe [4/30/2009 11:03 PM 133104]
S2 HeadlineAlley_29Service;HeadlineAlley Service;c:\progra~1\HEADLI~2\bar\1.bin\29barsvc.exe [4/5/2011 5:16 PM 36864]
S3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\drivers\ADM8511.SYS [9/20/2007 9:44 AM 24745]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/17/2007 8:12 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/30/2009 11:03 PM 133104]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32      128512      ----a-w-      c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-23 23:47]
.
2011-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-06 16:28]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 04:02]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 04:02]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3306005549-1961216853-1550191055-1006Core.job
- c:\documents and settings\mrfec\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-13 01:45]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3306005549-1961216853-1550191055-1006UA.job
- c:\documents and settings\mrfec\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-13 01:45]
.
2011-09-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3306005549-1961216853-1550191055-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3306005549-1961216853-1550191055-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3306005549-1961216853-1550191055-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3306005549-1961216853-1550191055-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-11-08 17:29]
.
2011-09-02 c:\windows\Tasks\User_Feed_Synchronization-{204066F4-AD61-46F7-8CA7-60886C7FA41E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
2011-09-02 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_D2TPPPD1_mrfec.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070917
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.15.1
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://192.168.15.151/WebClient.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://reports.igrs-ips.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{08f9937e-0a4f-48cf-94e7-827223daec1d} - c:\program files\HeadlineAlley_29\bar\1.bin\29SrcAs.dll
BHO-{f5046a39-68f3-4732-995f-eb2ea26d93fb} - (no file)
Toolbar-Locked - (no file)
Toolbar-{f5046a39-68f3-4732-995f-eb2ea26d93fb} - (no file)
MSConfigStartUp-%PROVIDERID% - bin\sprtcmd.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-VRQ Uploader - c:\program files\NortonVRQ\Engine\5.0.2.7\VRQUploadFiles.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-02 18:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'explorer.exe'(4844)
c:\windows\system32\WININET.dll
c:\progra~1\HEADLI~2\bar\1.bin\29brstub.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\DIAS\CnxDIAS.exe
c:\program files\Google\Update\1.3.21.65\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-09-02  18:21:05 - machine was rebooted
ComboFix-quarantined-files.txt  2011-09-02 23:21
.
Pre-Run: 125,515,988,992 bytes free
Post-Run: 125,519,052,800 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /bootlog /NoExecute=OptOut
.
- - End Of File - - 65F1DC7F8116ED068D223BB46A828273

And here is the Hijackthis log from a scan after combofix as well:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:06:20 PM, on 9/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows SteadyState\SCTSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Google\Update\1.3.21.65\GoogleCrashHandler.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Lync\communicator.exe
C:\Program Files\Windows SteadyState\Bubble.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Documents and Settings\JJAdmin\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070917
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Lync add-on BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: AppGraffiti - {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - C:\PROGRA~1\APPGRA~1\APPGRA~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Lync\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Reader\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Logoff] C:\Program Files\Windows SteadyState\SCTUINotify.exe
O4 - HKLM\..\Run: [Bubble] C:\Program Files\Windows SteadyState\Bubble.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] c:\program files\adobe\reader 10.0\reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [EaseUs Watch] "C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe"
O4 - HKLM\..\Run: [EaseUs Tray] "C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\mrfec\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} (WebClient Control) - http://192.168.15.151/WebClient.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - https://reports.igrs-ips.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: SyncThru Web Admin Service Database Service (DBService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
O23 - Service: SyncThru Web Admin Service Dispatcher Service (DispatcherServiceNT) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.exe
O23 - Service: SyncThru Web Admin Service Device Manager Service (DMService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManager.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EaseUS Agent - CHENGDU YIWO Tech Development Co., Ltd - C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate1c9ca11c9487ab8) (gupdate1c9ca11c9487ab8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HeadlineAlley Service (HeadlineAlley_29Service) - HeadlineAlley - C:\PROGRA~1\HEADLI~2\bar\1.bin\29barsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SyncThru Web Admin Service SLP Service (SLPService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
O23 - Service: SyncThru Web Admin Service SNMP Service (SNMPService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: SyncThru Web Admin Service Web Server (WebServiceNT) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 17696 bytes
0
 
LVL 3

Expert Comment

by:WiReDWolf
Comment Utility
Just for fun (cuz this is just so much fun, right?) try running HitManPro.  

MalwareBytes is excellent at detecting malware/grayware, etc, but this is the only program I've found so far that is good at looking for rootkit viruses.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 250 total points
Comment Utility
Your HJT log shows entries for Norton AND McAfee.  That is not a good idea.  Uninstall any remnant of McAfee using the MCPR tool:

http://service.mcafee.com/FAQDocument.aspx?id=TS100507

There are a couple of redundant entries which you should fix:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

You are running 39 startup programs.  Do you really need all those?

There is no obvious malware in the HJT log, but that doesn't mean much these days. Combofix found and deleted a number of files.  So how is the pc running now?

If you still have symptoms, try an online scan from Eset:

http://go.eset.com/us/online-scanner/run

Post scan log for review.
0
 
LVL 9

Expert Comment

by:Ashok Dewan
Comment Utility
Its good that you spent so much hours to analyze and repair system from Viruses. you have learned many things from this. Its seems that malware has been removed and but its entries are still remain. which is very difficult to determine where virus made those entries. In this situation if you can repair your pc without format then may be entries would be gone. otherwise you can restore registry by manually. and also do SFC /scannow to check system files :- Sfc /scannow will inspect all of the important Windows files on your computer, including Windows DLL files. If System File Checker finds an issue with any of these protected files, it will replace it.

How to Restore the Registry Hives From a System Restore Snapshot in Windows XP
Part I

Start Windows XP Recovery Console.
Copy the five registry hives (SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT) from C:\Windows\System32\Config to C:\Windows\Tmp, adding the .bak extension.
Delete the five registry hives from C:\Windows\System32\Config
Copy the five registry hives from C:\Windows\Repair folder to C:\Windows\System32\Config
With this done, you should be able to start Windows XP using the registry that was created during the initial setup of Windows XP. As a result, any changes and settings that occurred after the Setup program was finished are lost.

If you notice the your system not able to boot after restoring registry then again Copy the all registry hives from C:\Windows\Tmp to C:\Windows\System32\Config
change the extension .bak

0
 

Author Closing Comment

by:Chicago_Guy
Comment Utility
Thank you all for your suggestions.

I split the points among those that gave me info that got me started.

The first few scans removed most if not all of the real issues, what was left was taking care of the broken parts of Windows XP Home. A helper from bleepingcomputer guided me though the rest. My friend lucked out in that it was not damaged beyond repair (and I am crazy enough to try it). It did take me a good 24 to 36 hours of work (this includes scan time).

Learned alot, and again, thank you alll!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now